Reputation: 2107
How to convert string to HTML safe string
I am creating a some dynamically generated HTML
bldr.AppendLine("<a>");
string userText = user.Company;
bldr.AppendLine(userText);
bldr.AppendLine("</a>");
How can I ensure that whatever the company's name is, will appear as it should, but also if they try to inject any HTML in thier name it will simply appear in plain text.
For instance if they tried to use the name "<script>alert("Do Bad!")</script>" that's exactly what will appear on the page, in plain text.
But I also want to avoid "A & C" translating to "A \u0026 C", which is what happens when I use
HttpUtility.JavaScriptStringEncode(user.Company);
Upvotes: 29
Views: 111739
Answers (5)
Reputation: 2233
An alternative without a dependency to System.Web:
System.Net.WebUtility.HtmlEncode()
Upvotes: 17
Reputation: 38608
You can use the same class HttpUtility you have use to javascript, but, for html, for sample:
bldr.AppendFormat("<a>{0}</a>\n", HttpUtility.HtmlEncode(user.Company));
There is also the inverse way using HttpUtility.HtmlDecode(string).
Upvotes: 28
Reputation: 1245
using System.Web;
var encoded = HttpUtility.HtmlEncode(unencoded);
Upvotes: 10
Reputation: 23103
You can use the HttpUtility.HtmlEncode method:
var htmlString = HttpUtility.HtmlEncode(user.Company);
Upvotes: 4
Related Questions
- C# convert string to HTML
- How to decode HTML into string?
- Convert string to escaped html
- HTML encoding in C# -- is there any other way
- How can i convert an html encoded string to a normal string?
- Decode HTML escaped characters back to normal string in C#
- Converting special characters in c# string to html special characters
- How to Convert string in html? (asp.net)
- Html Encode in ASP.NET Web Control
- .Net Method for converting String to HTML Escape Characters